Customer login fails - auth'd against LDAP instead of DB

[aaroe]

Hi there,

We recently upgraded our OTRS from 2.2 to 2.4.9. The process went smooth and I didn't really believe that our setup was having any errors after the upgrade.
Today, a colleague of mine reported that customers were having problems authenticating. After investigating the problems, I found some very odd behaviour. Our setup consists of agents who are authenticated against our AD via LDAP. To authenticate as an agent you need to be a member of a special group in our AD. Customers have to backends - AD and DB. Since we also use OTRS to handle internal tickets, all AD users are allowed to login with their domain user. For external customer users we authenticate with the OTRS database.

Our Config.pm looks like this (information have been ommitted where I've put ###):

Code: Select all

   # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    $Self->{DatabaseHost} = $dbserver || 'localhost';
    $Self->{Database} = $dbname || 'otrs2';
    $Self->{DatabaseUser} = $dbuser || 'otrs2';
    $Self->{DatabasePw} = 'J_9q5AzBTaNDrv-sC4N9';
    $Self->{DatabaseDSN} = "$dsn=$Self->{Database};host=$Self->{DatabaseHost};port=$dbport;";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/usr/share/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #
    # switch off the web based installer for the Debian package
    $Self->{'SecureMode'} = 1;

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    $Self->{'SecureMode'} = 1;
    $Self->{'Organization'} = '###';
    $Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
    $Self->{'FQDN'} = 'support.###.com';
    $Self->{'DefaultLanguage'} = 'en';
    $Self->{'DefaultCharset'} = 'utf-8';
    $Self->{'LogModule::SysLog::Facility'} = 'daemon';
    $Self->{'AdminEmail'} = 'sysadm@###.dk';
    $Self->{'DefaultTheme'} = 'Standard';

    # ---------------------------------------------------- #
    # data inserted by Capana Sysadmins                    #
    # ---------------------------------------------------- #

    # Show customer information on agent screens
    $Self->{'Ticket::Frontend::CustomerInfoCompose'} = 1;
    $Self->{'Ticket::Frontend::CustomerInfoZoom'} = 1;
    $Self->{'Ticket::Frontend::CustomerInfoQueue'} = 0;

    # Customer Groups
    $Self->{'CustomerGroupSupport'} =  '1';

    # Place All Customers in these groups
    $Self->{'CustomerGroupAlwaysGroups'} = ['users'];
    $Self->{'CustomerPanelCreateAccount'} =  '0';

    # Agent Authentication with ldap
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '###';
    $Self->{'AuthModule::LDAP::BaseDN'} = '###';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = '###';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '###';
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 60,
        async => 0,
        version => 3,
    };

    # Autocreate Userdata in Database at first LDAP login
    $Self->{UserSyncLDAPMap} = {
        UserFirstname => 'givenName',
        UserLastname => 'sn',
        UserEmail => 'mail',
    };

    $Self->{UserSyncLDAPGroups} = [ 'users' ];

    # LDAP Users must be members of the support group to get in!
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRSSupport,ou=Groups,dc=###,dc=dk';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    ### Configure Customer Backend
    $Self->{'CustomerUser2'} = {
        Name => 'Database Backend',
        Module => 'Kernel::System::CustomerUser::DB',
        Params => {
            Table => 'customer_user',
            },
            CustomerKey => 'login',
            CustomerID => 'customer_id',
            CustomerValid => 'valid_id',
            CustomerUserListFields => ['first_name', 'last_name', 'email'],
            CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
            CustomerUserSearchPrefix => '',
            CustomerUserSearchSuffix => '*',
            CustomerUserSearchListLimit => 250,
            CustomerUserPostMasterSearchFields => ['email'],
            CustomerUserNameFields => ['salutation','first_name','last_name'],
            CustomerUserEmailUniqCheck => 1,
            Map => [
                # note: Login, Email and CustomerID needed!
                # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
                [ 'UserSalutation', 'Salutation', 'salutation',  1, 0, 'var', '', 0 ],
                [ 'UserFirstname',  'Firstname',  'first_name',  1, 1, 'var', '', 0 ],
                [ 'UserLastname',   'Lastname',   'last_name',   1, 1, 'var', '', 0 ],
                [ 'UserLogin',      'Username',   'login',       1, 1, 'var', '', 0 ],
                [ 'UserPassword',   'Password',   'pw',          0, 1, 'var', '', 0 ],
                [ 'UserEmail',      'Email',      'email',       0, 1, 'var', '', 0 ],
                [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
                [ 'UserComment',     'Comment',   'comments',    1, 0, 'var', '', 0 ],
                [ 'ValidID',         'Valid',     'valid_id',    0, 1, 'int', '', 0 ],
            ],
            # default selections
            Selections => {
                UserSalutation => {
                    'Mr.' => 'Mr.',
                    'Mrs.' => 'Mrs.',
                },
            },
    };

    #
    #Customer LDAP Auth Backend Settings
    #

    # LDAP Authentication Part
    #$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    #$Self->{'Customer::AuthModule::LDAP::Host'} = '###';
    #$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '###';
    #$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    #$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '###';
    #$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '###';

    # User Information Mapping
    $Self->{'CustomerUser1'} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            SSCOPE => 'sub',
            AlwaysFilter => '',
            Host => '###',
            BaseDN => '###',
            UserDN => 'ldapbind@###',
            UserPw => '###',
            SourceCharset => 'utf-8',
            DestCharset => 'utf-8',
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenName', 'sn'],
        Map => [
            ['UserFirstname', 'Firstname', 'givenName', 1, 1, 'var'],
            ['UserLastname', 'Lastname', 'sn', 1, 1, 'var'],
            ['UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var'],
            ['UserEmail', 'Email', 'mail', 1, 1, 'var'],
            ['UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var'],
            ['UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var'],
        ],
    };

Now, when I attempt to log in with a user existing in our 'customer_users' table I get the following log entry in OTRS:

Code: Select all

CustomerUser: testerx authentication failed, no LDAP entry found!BaseDN='###', Filter='(sAMAccountName=testerx)', (REMOTE_ADDR: 10.0.2.23).

I have no idea why it's completely neglecting to check the local database for this user and instead insisting authenticating it against our AD. I've gone through the 2.4.x manual to see if there's been any changes to how to set customer backends up which differs from the style we've used in 2.2.x - I haven't been able to spot anything crucial.

If I comment out the entire "CustomerUser1" bit and rename "CustomerUser2" to "CustomerUser" - leaving me with only the DB as backend for customer users, the result is still the same. No valid login and the same error reported in the log.
I'm quite puzzled about this and I'm sincerely hoping for some good advice from you guys.

Thanks in advance.
Christian

[crythias]

I don't believe I see any customer authentication in your Config.pm. Customer lookup, yes, but customer auth, no.

[aaroe]

I don't believe I see any customer authentication in your Config.pm. Customer lookup, yes, but customer auth, no.

Hi crythias, thanks for your reply but I'm not quite sure I'm following you.
For the customer login via LDAP I have this snippet regarding authentication:

Code: Select all

    # LDAP Authentication Part
    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '###';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = '###';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '###';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '###';

I assume that what you're saying is that there should be an equivalent part for DB logins?
I'm puzzled because my Config.pm haven't really changed since we upgraded from 2.2.x and when I look at the docs for 2.4 and [DB backend for customers] I don't really see any difference in their example when comparing it to mine.

Can I please ask you to elaborate a bit on your point?

Thanks in advance
Christian

[crythias]

I thought this was commented out above. but if not it's exactly your problem

Code: Select all

    # LDAP Authentication Part
    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '###';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = '###';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '###';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '###';

you forgot to append "1" to Host, BaseDN ...

[aaroe]

Oh sorry, I must have been unaware of the lines being commented out from my attempts to debug the problem.

The bit has now been changed to:

Code: Select all

# LDAP Authentication Part
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = '###';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = '###';
$Self->{'Customer::AuthModule::LDAP::UID1'} = '###';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = '###';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '###';

I didn't find this detail listed anywhere in the article about multiple customer backends though :/

The weird part is, that the LDAP customer backend isn't the one acting up - it's our DB one. The configuration for that is pretty much a copy-paste from the documentation:

Code: Select all

        ### Configure Customer Backend
        $Self->{'CustomerUser2'} = {
                Name => 'Database Backend',
                Module => 'Kernel::System::CustomerUser::DB',
                Params => {
                        Table => 'customer_user',
                },
                CustomerKey => 'login',
                CustomerID => 'customer_id',
                CustomerValid => 'valid_id',
                CustomerUserListFields => ['first_name', 'last_name', 'email'],
                CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
                CustomerUserSearchPrefix => '',
                CustomerUserSearchSuffix => '*',
                CustomerUserSearchListLimit => 250,
                CustomerUserPostMasterSearchFields => ['email'],
                CustomerUserNameFields => ['salutation','first_name','last_name'],
                CustomerUserEmailUniqCheck => 1,
                Map => [
                    # note: Login, Email and CustomerID needed!
                    # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
                    [ 'UserSalutation', 'Salutation', 'salutation',  1, 0, 'var', '', 0 ],
                    [ 'UserFirstname',  'Firstname',  'first_name',  1, 1, 'var', '', 0 ],
                    [ 'UserLastname',   'Lastname',   'last_name',   1, 1, 'var', '', 0 ],
                    [ 'UserLogin',      'Username',   'login',       1, 1, 'var', '', 0 ],
                    [ 'UserPassword',   'Password',   'pw',          0, 1, 'var', '', 0 ],
                    [ 'UserEmail',      'Email',      'email',       0, 1, 'var', '', 0 ],
                    [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
                    [ 'UserComment',     'Comment',   'comments',    1, 0, 'var', '', 0 ],
                    [ 'ValidID',         'Valid',     'valid_id',    0, 1, 'int', '', 0 ],
                ],
                # default selections
                Selections => {
                    UserSalutation => {
                        'Mr.' => 'Mr.',
                        'Mrs.' => 'Mrs.',
                    },
                },
        };

But still, it fails. Still seems to neglect the DB for auth and solely rely on LDAP - at least, that's the only error I get in the System Log.

I can also see, in the database, that the format of the stored passwords have changed. Can that have anything to do with it?

Best regards
Christian

[crythias]

If you have a CustomerUser2, you'll need an authentication against 2 (usually)